SCCM and Bitlocker TPM Real Life

Read hear more https://www.sccm.biz/2012/06/sccm-and-bitlocker-tpm-real-life.html     SCCM and Bitlocker TPM Real Life Paddy Maddy SCCM and Bitlocker TPM Real Life Paddy MaddySCCM and Bitlocker TPM Real Life Paddy MaddySCCM and Bitlocker TPM Real Life Paddy Maddy Allright, I felt for blogging some more about getting TPM Activated on Dell, HP and Lenovo.
To get the Bitlocker in action.

Common Steps I use:

  1. DC – Prepare Active Directory
  2. SCCM – Prepare a 350MB Bitlocker partition in TS
  3. SCCM – Update BIOS
  4. SCCM – Reboot
  5. SCCM – Enable/Activate TPM and Set BootSequence
  6. SCCM – Reboot
  7. SCCM – Enable Bitlocker and place it as the last step in the TS
  8. SCCM – Add Disable Bitlocker on the Top of the TS
  9. SCCM – Use DCM in 2007 or Settings Management in 2012 to monitor that you Clients are secured with Bitlocker.

The tricky part is the step 4, each vendor has its own way of turning on features in BIOS. And as this is a Security Device, you may have trouble setting this configuration if it has a Admin passord etc. and you may Lock Your self out. Ohh and yes, the BIOS Update can be a bit tricky too, Ive blogged about that before.
With Configmgr 2012 SP1 you can add Preprovision Bitlocker step to Your Task Sequence that will start encryption of the disk right before applying the Image step.
This way it will almost be Complete when finished the OSD. And without very little overhead.
Cool feature!
1. Do the required steps to prepare you Active Directory first and Set Group Policys.
https://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx
Then before you add the Enable Bitlocker step in the SCCM Task Sequence, you need to get the TPM chip activated on the Client computers prior to this step.
So here we go.
It’s all very easy when you know how, right πŸ™‚
You can test the command lines manually, but remember to run the cmd as Administrator. SCCM and Bitlocker TPM Real Life Paddy Maddy Dell
You need to get Your hands on the Dell CCTK:
The latest version of CCTK is 2.1.
https://downloads.dell.com/folder00480000m/2/Sys-Man_Application_H1TD3_WN32_2.1_A00.EXE
The CCTK, gives you ability to turn on TPM chip, set password, BIOS setting etc..
You can eiter inject it to the Boot image, or just use it like a Application package, and run commands.
The second option is the easyest.
Dell TPM Bios – SCCM Task Sequence example
https://www.delltechcenter.com/page/How+to%3A+Enable+Trusted+Platform+Module+Using+a+ConfigMgr+2007+Task+Sequence SCCM and Bitlocker TPM Real Life Paddy Maddy Remember the checkbox Disable 64-bit file system redirection on the 64bit TaskSequence step. SCCM and Bitlocker TPM Real Life Paddy Maddy HP
The REPSET file is the clue here..
First, Download the utility needed:
https://h20331.www2.hp.com/hpsub/cache/284133-0-0-225-121.html?jumpid=ex_R2845_vanityim/gossm/ka011106
You need to create a TPMEnable.REPSET file.
This is what I’ve created: SCCM and Bitlocker TPM Real Life Paddy Maddy It’s listed in txt here:
English
Reset of TPM from OS
*Disable
Enable
OS Management of TPM
Disable
*Enable
Activate Embedded Security On Next Boot
Disable
*Enable
Embedded Security Device Availability
*Available
Hidden
Embedded Security Activation Policy
F1 to Boot
Allow user to reject
*No prompts
Power-On Authentication Support
*Disable
Enable
Password Minimum Length
8
At least one symbol required
Yes
*No
At least one number required
Yes
*No
At least one upper case character required
Yes
*No
At least one lower case character required
Yes
*No
HP SpareKey
*Disable
Enable
Always Prompt for HP SpareKey Enrollment
*Disable
Enable
Are spaces allowed in password
Yes
*No
Boot Order
Hard Drive(C:)
Network Controller
Now for the SCCM The Command line is:
BiosConfigUtility.exe /setConfig:TPMEnable.REPSET /NewAdminPassword:Nicolai1!
Yes, HP you have to set a Admin password, just like Dell.
But what if you already have a Password?
Then Run this:
BiosConfigUtility.exe /setconfig:TPMEnable.REPSET /cspwd:”Passord” /nspwd:”Passord”


Its very often smart to do some testing of the commands manually if its not working for you as expected: SCCM and Bitlocker TPM Real Life Paddy Maddy Now, this is the status you want in the TPM Management in Windows:
The computer is now ready for the Enable Bitlocker step in the Task Sequence. SCCM and Bitlocker TPM Real Life Paddy Maddy SCCM and Bitlocker TPM Real Life Paddy Maddy Lenovo
Lenovo made it very easy actually. It’s all about WMI. πŸ™‚
Download the Script and put it in a Package.
Sample Scripts for BIOS Deployment Guide
https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles_pdf/script.zip
BIOS Setup using Windows Management Instrumentation Deployment Guide – English
https://download.lenovo.com/ibmdl/pub/pc/pccbbs/thinkcentre_pdf/crdeploy_en.pdf
But, somehow Lenovo made different names in the BIOS for enableing TPM depending on if its a Laptop or Desktop.     SecurityChip and TCG
So the command for:
Laptops:
Cscript.exe SetConfig.vbs SecurityChip Active
Desktops:
Cscript.exe SetConfig.vbs “TCG Security Feature” Active
You can list the Bios settings with this command:
cscript.exe ListAll.vbs
Set the Boot Order to HDD first.
Because the way TPM secures the encryption keys is by ensuring that the way your system boots up or starts is always the same as it was at the time you enabled BitLocker.  This means if you are encrypting your system drive (C:) it is important that you set the boot order so that the Hard Drive is always first.
It therefore important that the boot order is not changed after Bitlocker is enabled.
If you need to do changes, like BIOS Update etc.. Pause/Disable the Bitlocker in Windows.
And if you just want BitLocker on Laptops, its easy to do it With Task Sequence Variable and MDT Toolkit. The variable is then IsLaptop Equals True.


8. SCCM – Add Disable Bitlocker on the Top of the Task Sequence
To be able to refresh a Computer you need to turn off Bitlocker on the Partition C:
This is done very simple by adding Disable Bitlocker on Top of Your Task Sequence:
With the Task Sequence Variable:_SMSTSinWinPE Equals “false”
Because you only want to run the step when not in WinPE mode. SCCM and Bitlocker TPM Real Life Paddy Maddy 9. SCCM – Use DCM in 2007 or Settings Management in 2012 to monitor that you Clients are secured with Bitlocker.
Setting up Settings Management in SCCM 2012
Name it Bitlocker Active
Namespace:  RootCIMV2SecurityMicrosoftVolumeEncryption
Class:  Win32_EncryptableVolume
Property:  DriveLetter SCCM and Bitlocker TPM Real Life Paddy Maddy

  • On the Compliance Rules
  • Operator:  Equals
  • Value:  C:
  • Severity:  Critical
  • SCCM and Bitlocker TPM Real Life Paddy Maddy Monitoring … where to look?… SCCM and Bitlocker TPM Real Life Paddy Maddy SCCM and Bitlocker TPM Real Life Paddy Maddy View also Lars Vegar Halvorsen’s blogpost about TPM.
    It’s not always the TPM chip is not activated or the password is not set.
    What happens then is the script/TS step fail.
    He has written a PowerShell script to help you with this logic.
    https://www.configmgr.no/2013/02/03/tpm-and-bitlocker-in-real-life/
  •  

    Leave a Comment